Krispy Kreme is claimed by the Play ransomware group on Thursday, and now the gang is threatening to leak sensitive data belonging to the beloved doughnut maker just days before Christmas.
The multinational doughnut and coffeehouse chain reported it was first breached by hackers on November 29th.
Now, exactly three weeks later, the Play ransomware gang has laid claim to the attack and says it plans to publish all the data it has allegedly stolen from Krispy Kreme’s networks on December 21st, in two days.
The ransomware group posted the doughnut retailer on its dark leak blog on Thursday, boasting to have exfiltrated “private and personal confidential data, clients documents, budget, payroll, accounting, contracts, taxes, IDs, finance information, etc.”
Play did not provide any samples or the amount of data it reportedly took, instead only listing “???” next to the abbreviation for gigabytes.
Krispy Kreme recovery continues
In a filing with the US Securities and Exchange Commission on December 11th, Krispy Kreme stated that certain business operations had been disrupted, and that its online ordering systems were expected to stay offline “until recovery efforts are completed.”
A Krispy Kreme spokesperson had told Cybernews at the time, that in-person ordering was unaffected and that all 1400 stand-alone doughnut shops and in-store retail locations worldwide were still open.
The most recent update posted on the Krispy Kreme website states that “online ordering has been restored for the majority of our shops. We are working to resolve issues for all shops as soon as possible.”
The company also said with the help of leading cybersecurity experts and other advisors, Krispy Kreme immediately began taking steps to investigate, contain, and remediate the incident.
It's not clear if the company has been in contact with Play and/or if a ransom demand has been discussed.
Cybernews reached out to Krispy Kreme’s spokesperson about the latest Play ransomware claim and was told the company had no further comment on the matter, directing us back to its original statement.
Play is third busiest ransom gang of 2024
Meantime, the Play ransomware group has been keeping busy, tracked as the third most active ransomware group in 2024.
According to stats by the Cybernews Ransomlooker monitoring tool, Play has committed roughly 350 attacks on organizations mostly in the US, Canada, Latin America, and Europe in the past 12 months – close to 19% of all attacks in 2024.
First seen two years ago, the suspected Russian-linked outfit follows behind LockBit as the most active gang with 519 attacks this year (30%), and then RansomHub, with 487 attacks (26%) as the second most active group in 2024.
According to an FBI bulletin on the group released last December, “Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure.”
In 2023, Play was behind the crippling month-long attack against the City of Oakland, California, the Palo Alto County Sheriff's office in Iowa, and the Donald W. Wyatt maximum security detention center in Rhode Island.
Play is thought to be one of the first ransomware groups to use intermittent encryption, where only certain fixed segments of a system are encrypted, according to an Adlumin profile.
The method allows for faster access and exfiltration of a victim's data, and it seems other notorious groups have since adopted the tactic, including ALPHV/BlackCat, DarkBit, and BianLian.
As of last year, the gang was seen exploiting remote monitoring and management software (RMM), as well as leveraging a decades-old Fortinet firewall vulnerability.
Other high-profile Play victims from 2023 include the cloud computing company Rackspace, German hotel chain H-Hotels, and BMW France.
Your email address will not be published. Required fields are markedmarked